Using Static Analysis to Improve Product Quality, Earlier and Cheaper

By Bill Graham

Fixing bugs is expensive. Fixing bugs is more expensive the later you leave them, in fact, its been shown to cost a magnitude higher with each major phase of development. The famous defect cost chart from Capers Jones shows the cost of a bug going from $25 at the coding phase to $16,000 in development. Not only that, but most of the bugs are introduced into the system at this stage yet very little of them are found. Logic says we should fix them earlier to save money.

(Source: Applied Software Measurement, Capers Jones, 1995)

Static analysis tools such as those offered by our partner Coverity Inc. provide an easy, non-obtrusive way to detect defects in the source code – as it’s being coded. These tools can find all sorts of defects even before the code is submitted to version control or compiled into your integration builds. Significant and dangerous errors such as buffer and integer overflows, format string vulnerabilities and poor coding techniques can be found in your source code. Static analysis tools are integrated into your build environment as part of your nightly integration builds, for example. What is also extremely powerful is the integration of these tools into our Wind River Workbench. Developers can quickly and easily check for bugs in the code in the integrated development environment. A quick click and the current code file you are working on is checked for bugs. Developers are understandably skeptical but success rate for static analysis tools is high and the technology has improved to where false positives (detected bugs that turn out to not be errors) are very low, typically less than 5%.

Using tools like Coverity’s Static Analysis in addition to automated test tools (Wind River Test Management, IPL’s Cantata++, for example) are great ways to improve the graph we see above. Imagine the return on your investment – every bug you find and fix at the developer’s desktop saves you $1000 if you are lucky to catch it during integration or even $16,000 if it makes it into customer hands.

Wind River Blog Network

The Wind River Blog Network is made up of a variety of voices: executives, technologists and industry enthusiasts. We hope to foster conversations and encourage the sharing of insights regarding the evolving landscape of intelligent, connected systems with our ecosystem of customers, partners and colleagues.